All users are in my mysql database available. I set a MYSQLDefaultUID/GID (pure,ftp) for all virtual users... root is _not_ able to login!
If I connect with any (virtual)user to pure I can watch the following:

When privilege separation is enabled, each session will spawn two processes :
a "privileged" process running as root, but that can only do very basic
and trusted actions (binding a port and remove the ftpwho scoreboard) and
the "client" process. The "client" process definitely revokes all privileges
after authentication and chroot() and punctually communicates with the
parent over a private channel.

Privilege separation decreases performance of loaded servers, but it
increases security and reliability. Enabling it is recommended.